Continually Evolving Cybersecurity Program

Continually EvolvingCybersecurity ProgramFOR THE 2020 CENSUSKevin SmithAssociate Director for Information Technology and ChiefInformation OfficerMarch 29, 20181

2020 CENSUS CYBERSECURITYAgenda Overview– Plan– Challenge– Design– Cyber Threat Landscape– Approach2

2020 CENSUS CYBERSECURITYOverviewU.S. Census Bureau: Leading source of quality data about the nation's people, places, and economy.Cyberattacks impact our data and could compromise our mission: Cybersecurity is our highest IT priority.ContinuallyEvolvingCybersecurity Evolve cybersecurity to meet new threats. leveraging best resources and knowledge inside and outsidethe federal government.3

2020 CENSUS CYBERSECURITYOur PlanKey ComponentsCybersecurity program focus areas: Improving public perception and trust. Proactively addressing cyberthreats through design andapproach Respond immediately to contain threats Partnerships to understand and manage threats Federal intelligence community Private sectorContinuallyEvolvingCybersecurityPublic Perception/TrustCyberthreatsApproachDesign4

2020 CENSUS CYBERSECURITYChallenge: Ensure Public Perception/Trust Data Security – Protecting respondent data User Experience – Performance that public expects withconfidence that their data will be protectedTop PrioritiesTop Priorities are Opposing ForcesBalance in Cloud Based SolutionSecurityDataSecurityData Security:UserExperienceLayer public facing systems insecure segmentsUser Experience:Rapid, Repeatable, and Efficientscaling of isolated segments toensure performancePerformance5

2020 CENSUS CYBERSECURITYDesignIncorporate many layers and levels of isolation. Apply right balance of security andperformance Does not sacrifice overall security.Create “funnel effect” to minimize undesired users Apply very high levels of security early toour publicly facing system.6

2020 CENSUS CYBERSECURITYCyber Threat LandscapeCyberthreatsCompromisingRespondent DeviceViruses on personalmobile devices, tablets,laptops, or PCsA cloud-based system alone does not protect ourdata from all cyber threatsCompromisedExternal Network AccessWeb site routing, InternetprovidersImpersonation ofthe U.S. Census BureauRogue Web sites, phishingExternal ThreatsInvalid ResponseImproper use of CensusBureau ID or Non IDISR pathBeyondU.S. Census BureauControl Internal - Monitor and directly respond to internalthreats to Census Bureau systems through designand approachDisruptions tothe InternetSelf-Response Web SiteData BreachesDenial of service,Brute force, malware,computer – generatedphishing, insider threatstrafficInternal ThreatsWithinU.S. Census BureauControl External - Rely on industry and other federalagencies to provide services to resolve threatsCompromised Employee DevicesMobile devices, tablets, laptops, orPCs7

External Threats2020 CENSUS CYBERSECURITYBeyondU.S. Census BureauControlCyber Threats: External Census Bureau does not have direct control over external cyber threats We can detect some threats but cannot take direct action to resolveRisk nt DeviceViruses on personalmobile devices, tablets,laptops, or PCsCompromisedExternal Network AccessWeb site routing, Internet providersFederalPartnershipsto assist withthreatdetection andrecoveryImpersonation ofthe U.S. Census BureauRogue Web sites, phishingExternal ThreatsInvalid ResponseImproper use of CensusBureau ID or Non IDISR pathBeyondU.S. Census BureauControl8Communication Planinform respondentsabout personalproactivecybersecurity stepsIndustrySolutionsto provideservices thatprotect,detect, andresolve threats

2020 CENSUS CYBERSECURITYCyber Threats: Internal Census bureau has the ability to take direct action to prevent and resolve internal threats Our team proactively monitors known threatsRisk MitigationStrategyCyberthreatsDisruptions tothe InternetSelf-Response Web SiteDenial of service,computer – generated trafficFederal partnersfor unknown threatprotection anddetection.Data BreachesBrute force, malware,phishing, insider threatsIndustry solutions toassist with knownthreat protection,detection, andrecoveryInternal ThreatsWithinU.S. Census BureauControlCompromised Employee DevicesMobile devices, tablets, laptops, or PCs9Our incidentresponseplan to containandmanage securitybreaches.

2020 CENSUS CYBERSECURITYFederal Cybersecurity Framework ResponsibilitiesCensus The Cybersecurity Framework is the continual lifecycle usedto coordinate interactions of people, process, andtechnology to have a complete approach to Cybersecurity Census responsible for all areas across Census systems– Coherency, Coordination, ConsistencyCommunications Contractors work within Census to protect, detect, andrespond for the systems they maintain. Federal Intelligence Community can assist in protectingagainst and detecting cyber threats Communications coordination necessary ensure public trustand confidence during potential response and recoveryContractors10FederalIntelligence

2020 CENSUS CYBERSECURITYKey Areas and Partners Secure Federal Network Connectivity for 2020 RespondentsWorking with Industry and Federal Government to ensure scalable and secure federal network connection Strengthen Incident Response capabilitiesAdvance ability to continually Identify, Protect, Detect, Respond, and Recover from possible cyber threats Improving visibility of cybersecurity issues by implementing tools from private industry and federal governmentEngaging Federal Intelligence Community for a coordinated Federal response.Improve Cybersecurity PostureImprove knowledge, processes, procedures, and/or technology. Improving Knowledge, Processes, and Procedures Regular Cybersecurity briefings with Federal Intelligence Community Test response procedures to cybersecurity incidents through simulations with Federal PartnersTesting Technology Security Tested Internet Self Response system by Industry and Federal Government Engaging Industry and Federal Government to simulate cybersecurity attacks11

2020 CENSUS CYBERSECURITYApproachOur approach will continually be refined as threats emerge and evolve.We Will:ContinuallyEvolvingCybersecurity Maintain the public’s trust and confidence byprotecting their data and keeping them informedMaintain positivepublic perception/trustof our data security Protect, detect, and respond to cyberthreats throughtechnology and partnershipsPrevent and detectcyberthreatsDesign systemsto adjust quicklyas threats emergeApproachImplementstrategically andrefine as needed. Adjust solutions accordingly within our flexible design Work with federal and industry partners to help us fill gaps12

2020 CENSUS CYBERSECURITYSummaryCyberthreatsRisk espondent DeviceCompromisingExternal Network AccessExternal ThreatsBeyondU.S. Census BureauControlImpersonatingthe Census BureauInsertingInvalid responsesDisrupting theInternet Self ResponseWeb siteInternal ThreatsWithinU.S. Census BureauControlDataBreachData onindividual deviceshas minimal valueto cybercriminalsContinuouscommunicationand technologymitigate riskData collected and protectedby the Census BureauIndividual DataEveryone’s DataCompromisedEmployee DeviceHigh Value13Continually evolvingour cybersecurityprogram to preventand detect threatsContinually evolving cybersecurityprogram will give us the bestopportunity to: Identify Protect Detect Respond Recover from possiblecyber threatsEnable partners to get involved innecessary areas.Mitigate operational challenges toadjust quickly as threats are identified tocontain for analysis.

detection, and recovery Risk Mitigation Strategy Our incident response plan to contain and manage security breaches. Federal partners for unknown threat protection and detection. 9 Census bureau has the ability to take direct action to prevent and resolve internal threats Our team proactively monitors known threats 2020 CENSUS CYBERSECURITY